CVE-2026-35051
Published: 30 April 2026
Summary
CVE-2026-35051 is a critical-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Traefik Traefik. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly prevents exploitation by requiring timely patching of vulnerable Traefik versions affected by the authentication bypass.
Vulnerability monitoring and scanning identifies deployments of vulnerable Traefik instances, enabling proactive remediation of this specific authentication bypass flaw.
Configuration settings ensure Traefik is securely configured to avoid exposing the ForwardAuth middleware vulnerability when deployed behind upstream proxies.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in Traefik, a commonly internet-facing reverse proxy and load balancer. Exploitation of this flaw in a public-facing service directly maps to initial access via T1190 Exploit Public-Facing Application, with no other techniques directly enabled by the described auth bypass alone.
NVD Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This…
more
issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.
Deeper analysisAI
CVE-2026-35051 is an authentication bypass vulnerability in Traefik, an HTTP reverse proxy and load balancer. The flaw affects the ForwardAuth middleware in versions prior to 2.11.43, 3.6.14, and 3.7.0-rc.2, occurring specifically when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy.
A remote network attacker requires no privileges, authentication, or user interaction to exploit this issue, with low attack complexity. Exploitation enables bypassing authentication controls in the ForwardAuth middleware, resulting in high impacts to confidentiality and integrity but no availability disruption, as scored at CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N) and mapped to CWE-345.
Traefik has patched the vulnerability in versions 2.11.43, 3.6.14, and 3.7.0-rc.2. Security practitioners should upgrade to these releases for mitigation. Additional details are provided in the Traefik security advisory at GHSA-6384-m2mw-rf54 and the release notes for the fixed versions.
Details
- CWE(s)